A rare FTP user has been detected on an existing FTP server

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-10-08
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • Palo Alto Networks Platform Logs

Detection Modules

Detector Tags

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A rare or new FTP user has been detected on an existing FTP server.

Attacker's Goals

  • Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.

Investigative actions

  • Verify that the new username is legitimate.
  • Examine the legitimacy of the application that produced this uncommon FTP.
  • Examine the parent process of this application.
  • Check the logs on the FTP server for a new user creation.

Variations

Possible FTP User Scanning Detected

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A rare or new FTP user has been detected on an existing FTP server.

Attacker's Goals

  • Attackers may seek to access FTP resources to exfiltrate data, stage attack tools or create a command and control channel through a trusted service.

Investigative actions

  • Verify that the new username is legitimate.
  • Examine the legitimacy of the application that produced this uncommon FTP.
  • Examine the parent process of this application.
  • Check the logs on the FTP server for a new user creation.